Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fbd5230c05fa25148fc296490d4270184bd81c8699dfbd5c1c12bb9e268a2981

  • Size

    2.9MB

  • Sample

    231016-f11g2sdh68

  • MD5

    8ffcfd11eaa80781ee64f3aef8ad7fca

  • SHA1

    17b24576ee4f9a91160b80f60c328f5648c7c268

  • SHA256

    fbd5230c05fa25148fc296490d4270184bd81c8699dfbd5c1c12bb9e268a2981

  • SHA512

    c871cc96176cc8bb171261db3d5ebae5bf847edf137de5d38e4e9e127a28116efada8858eaa343fe5e2f7b0f11a9f76746f0d6430acc6a89404756ceba379505

  • SSDEEP

    49152:vVMgl97iBFOHrQ22FciF227AgFmfCorAx1us:aQA5Ea1T

Score
10/10
amadeygluptebaprivateloadervidar5a1fadccb27cfce506dba962fc85426ddropperevasionloaderspywarestealertrojanupx

Malware Config

Extracted

Family

amadey

Version

3.89

C2

http://193.42.32.29/9bDc8sQ/index.php

Attributes
  • install_dir

    1ff8bec27e

  • install_file

    nhdues.exe

  • strings_key

    2efe1b48925e9abf268903d42284c46b

rc4.plain

Extracted

Family

vidar

Version

6

Botnet

5a1fadccb27cfce506dba962fc85426d

C2

https://steamcommunity.com/profiles/76561199560322242

https://t.me/cahalgo
Attributes
  • profile_id_v2

    5a1fadccb27cfce506dba962fc85426d

  • user_agent

    Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0 uacq

Targets

    • Target

      fbd5230c05fa25148fc296490d4270184bd81c8699dfbd5c1c12bb9e268a2981

    • Size

      2.9MB

    • MD5

      8ffcfd11eaa80781ee64f3aef8ad7fca

    • SHA1

      17b24576ee4f9a91160b80f60c328f5648c7c268

    • SHA256

      fbd5230c05fa25148fc296490d4270184bd81c8699dfbd5c1c12bb9e268a2981

    • SHA512

      c871cc96176cc8bb171261db3d5ebae5bf847edf137de5d38e4e9e127a28116efada8858eaa343fe5e2f7b0f11a9f76746f0d6430acc6a89404756ceba379505

    • SSDEEP

      49152:vVMgl97iBFOHrQ22FciF227AgFmfCorAx1us:aQA5Ea1T

    Score
    10/10
    amadeygluptebaprivateloadervidar5a1fadccb27cfce506dba962fc85426ddropperevasionloaderspywarestealertrojanupx

    • Amadey

      Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

      trojanamadey

    • Glupteba

      Glupteba is a modular loader written in Golang with various components.

      loaderdropperglupteba

    • Glupteba payload

    • PrivateLoader

      PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

      loaderprivateloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Vidar

      Vidar is an infostealer based on Arkei stealer.

      stealervidar

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Accesses 2FA software files, possible credential harvesting

      spywarestealer

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks